cloud.go

@@ -200,19 +200,15 @@ func handleCloudRegister(c *gin.Context) {
 	sessionID, _ := c.Cookie("sessionId")
 	authToken, _ := c.Cookie("authToken")
 
-	// Require authentication for this endpoint
+	if sessionID != "" && authToken != "" && authToken == config.LocalAuthToken {
-	if authToken == "" || authToken != config.LocalAuthToken {
-		c.JSON(401, gin.H{"error": "Authentication required"})
-		return
-	}
-
-	// Check session permissions if session exists
-	if sessionID != "" {
 		session := sessionManager.GetSession(sessionID)
 		if session != nil && !session.HasPermission(PermissionSettingsWrite) {
 			c.JSON(403, gin.H{"error": "Permission denied: settings modify permission required"})
 			return
 		}
+	} else if sessionID != "" {
+		c.JSON(401, gin.H{"error": "Authentication required"})
+		return
 	}
 
 	var req CloudRegisterRequest

jsonrpc.go

@@ -12,7 +12,6 @@ import (
 	"reflect"
 	"regexp"
 	"strconv"
-	"strings"
 	"sync"
 	"time"
 
@@ -133,14 +132,8 @@ func writeJSONRPCEvent(event string, params any, session *Session) {
 
 	err = session.RPCChannel.SendText(requestString)
 	if err != nil {
-		// Check if it's a closed/closing error (expected during reconnection)
+		// Only log at debug level - closed pipe errors are expected during reconnection
-		errStr := err.Error()
+		scopedLogger.Debug().Err(err).Str("event", event).Msg("Could not send JSONRPC event (channel may be closing)")
-		if strings.Contains(errStr, "closed") || strings.Contains(errStr, "closing") {
-			scopedLogger.Debug().Err(err).Str("event", event).Msg("Could not send JSONRPC event (channel closing)")
-		} else {
-			// Other errors (buffer full, protocol errors) should be visible
-			scopedLogger.Warn().Err(err).Str("event", event).Msg("Failed to send JSONRPC event")
-		}
 		return
 	}
 }

jsonrpc_session_handlers.go

@@ -95,11 +95,42 @@ func handleRequestSessionApprovalRPC(session *Session) (any, error) {
 	return map[string]interface{}{"status": "requested"}, nil
 }
 
+func validateNickname(nickname string) error {
+	if len(nickname) < minNicknameLength {
+		return fmt.Errorf("nickname must be at least %d characters", minNicknameLength)
+	}
+	if len(nickname) > maxNicknameLength {
+		return fmt.Errorf("nickname must be %d characters or less", maxNicknameLength)
+	}
+	if !isValidNickname(nickname) {
+		return errors.New("nickname can only contain letters, numbers, spaces, and - _ . @")
+	}
+
+	for i, r := range nickname {
+		if r < 32 || r == 127 {
+			return fmt.Errorf("nickname contains control character at position %d", i)
+		}
+		if r >= 0x200B && r <= 0x200D {
+			return errors.New("nickname contains zero-width character")
+		}
+	}
+
+	trimmed := ""
+	for _, r := range nickname {
+		trimmed += string(r)
+	}
+	if trimmed != nickname {
+		return errors.New("nickname contains disallowed unicode")
+	}
+
+	return nil
+}
+
 func handleUpdateSessionNicknameRPC(params map[string]any, session *Session) (any, error) {
 	sessionID, _ := params["sessionId"].(string)
 	nickname, _ := params["nickname"].(string)
 
-	if err := sessionManager.validateNickname(nickname); err != nil {
+	if err := validateNickname(nickname); err != nil {
 		return nil, err
 	}
 

session_cleanup_handlers.go

@@ -2,8 +2,6 @@ package kvm
 
 import (
 	"time"
-
-	"github.com/pion/webrtc/v4"
 )
 
 // emergencyPromotionContext holds context for emergency promotion attempts
@@ -218,29 +216,18 @@ func (sm *SessionManager) promoteAfterGraceExpiration(expiredSessionID string, n
 	}
 }
 
-// handlePendingSessionTimeout removes timed-out pending sessions only if disconnected
+// handlePendingSessionTimeout removes timed-out pending sessions (DoS protection)
-// Connected pending sessions remain visible for approval (consistent UX)
+// Returns true if any pending session was removed
-// This prevents resource leaks while maintaining good user experience
 func (sm *SessionManager) handlePendingSessionTimeout(now time.Time) bool {
 	toDelete := make([]string, 0)
 	for id, session := range sm.sessions {
 		if session.Mode == SessionModePending &&
 			now.Sub(session.CreatedAt) > defaultPendingSessionTimeout {
-			// Only remove if the connection is closed/failed
+			websocketLogger.Debug().
-			// This prevents resource leaks while keeping connected sessions visible
+				Str("sessionId", id).
-			if session.peerConnection != nil {
+				Dur("age", now.Sub(session.CreatedAt)).
-				connectionState := session.peerConnection.ConnectionState()
+				Msg("Removing timed-out pending session")
-				if connectionState == webrtc.PeerConnectionStateClosed ||
+			toDelete = append(toDelete, id)
-					connectionState == webrtc.PeerConnectionStateFailed ||
-					connectionState == webrtc.PeerConnectionStateDisconnected {
-					websocketLogger.Debug().
-						Str("sessionId", id).
-						Dur("age", now.Sub(session.CreatedAt)).
-						Str("connectionState", connectionState.String()).
-						Msg("Removing timed-out disconnected pending session")
-					toDelete = append(toDelete, id)
-				}
-			}
 		}
 	}
 	for _, id := range toDelete {

session_manager.go

@@ -173,8 +173,11 @@ func (sm *SessionManager) AddSession(session *Session, clientSettings *SessionSe
 	}
 
 	if session.Nickname != "" {
-		if err := sm.validateNickname(session.Nickname); err != nil {
+		if len(session.Nickname) < minNicknameLength {
-			return err
+			return fmt.Errorf("nickname must be at least %d characters", minNicknameLength)
+		}
+		if len(session.Nickname) > maxNicknameLength {
+			return fmt.Errorf("nickname must be %d characters or less", maxNicknameLength)
 		}
 	}
 	if len(session.Identity) > maxIdentityLength {
@@ -248,13 +251,8 @@ func (sm *SessionManager) AddSession(session *Session, clientSettings *SessionSe
 
 		if existing.Mode == SessionModePrimary {
 			isBlacklisted := sm.isSessionBlacklisted(session.ID)
-			// SECURITY: Prevent dual-primary - check actual mode, not just existence
+			// SECURITY: Prevent dual-primary - only restore if no other primary exists
-			primaryExists := false
+			primaryExists := sm.primarySessionID != "" && sm.sessions[sm.primarySessionID] != nil
-			if sm.primarySessionID != "" {
-				if existingPrimary, ok := sm.sessions[sm.primarySessionID]; ok && existingPrimary.Mode == SessionModePrimary {
-					primaryExists = true
-				}
-			}
 			if sm.lastPrimaryID == session.ID && !isBlacklisted && !primaryExists {
 				sm.primarySessionID = session.ID
 				sm.lastPrimaryID = ""
@@ -426,8 +424,8 @@ func (sm *SessionManager) RemoveSession(sessionID string) {
 	// Only add grace period if this is NOT an intentional logout
 	if !isIntentionalLogout {
 		// Limit grace period entries to prevent memory exhaustion
-		// Evict entries ONLY when full, and only evict one entry
+		// Evict the entry that will expire soonest (oldest expiration time)
-		if len(sm.reconnectGrace) >= maxGracePeriodEntries {
+		for len(sm.reconnectGrace) >= maxGracePeriodEntries {
 			var evictID string
 			var earliestExpiration time.Time
 			for id, graceTime := range sm.reconnectGrace {
@@ -440,15 +438,8 @@ func (sm *SessionManager) RemoveSession(sessionID string) {
 			if evictID != "" {
 				delete(sm.reconnectGrace, evictID)
 				delete(sm.reconnectInfo, evictID)
-				sm.logger.Debug().
-					Str("evictedSessionID", evictID).
-					Msg("Evicted oldest grace period entry due to limit")
 			} else {
-				// Defensive: if we couldn't evict, don't add grace period
+				break
-				sm.logger.Error().
-					Int("graceCount", len(sm.reconnectGrace)).
-					Msg("Failed to evict grace period entry, skipping grace period for this session")
-				goto skipGracePeriod
 			}
 		}
 
@@ -465,8 +456,6 @@ func (sm *SessionManager) RemoveSession(sessionID string) {
 		}
 	}
 
-skipGracePeriod:
-
 	// If this was the primary session, clear primary slot and track for grace period
 	if wasPrimary {
 		if isIntentionalLogout {
@@ -1220,9 +1209,11 @@ func (sm *SessionManager) transferPrimaryRole(fromSessionID, toSessionID, transf
 		return fmt.Errorf("cannot promote: another primary session exists (%s)", existingPrimaryID)
 	}
 
+	// Promote target session
 	toSession.Mode = SessionModePrimary
 	toSession.hidRPCAvailable = false
-	if transferType == "emergency_timeout_promotion" {
+	// Reset LastActive for all emergency promotions to prevent immediate re-timeout
+	if strings.HasPrefix(transferType, "emergency_") {
 		toSession.LastActive = time.Now()
 	}
 	sm.primarySessionID = toSessionID
@@ -1471,19 +1462,16 @@ func extractBrowserFromUserAgent(userAgent string) *string {
 	ua := strings.ToLower(userAgent)
 
 	// Check for common browsers (order matters - Chrome contains Safari, etc.)
-	// Optimize Safari check by caching Chrome detection
-	hasChrome := strings.Contains(ua, "chrome")
-
 	if strings.Contains(ua, "edg/") || strings.Contains(ua, "edge") {
 		return &BrowserEdge
 	}
 	if strings.Contains(ua, "firefox") {
 		return &BrowserFirefox
 	}
-	if hasChrome {
+	if strings.Contains(ua, "chrome") {
 		return &BrowserChrome
 	}
-	if strings.Contains(ua, "safari") {
+	if strings.Contains(ua, "safari") && !strings.Contains(ua, "chrome") {
 		return &BrowserSafari
 	}
 	if strings.Contains(ua, "opera") || strings.Contains(ua, "opr/") {
@@ -1526,37 +1514,6 @@ func generateNicknameFromUserAgent(userAgent string) string {
 }
 
 // ensureNickname ensures session has a nickname, auto-generating if needed
-func (sm *SessionManager) validateNickname(nickname string) error {
-	if len(nickname) < minNicknameLength {
-		return fmt.Errorf("nickname must be at least %d characters", minNicknameLength)
-	}
-	if len(nickname) > maxNicknameLength {
-		return fmt.Errorf("nickname must be %d characters or less", maxNicknameLength)
-	}
-	if !isValidNickname(nickname) {
-		return errors.New("nickname can only contain letters, numbers, spaces, and - _ . @")
-	}
-
-	for i, r := range nickname {
-		if r < 32 || r == 127 {
-			return fmt.Errorf("nickname contains control character at position %d", i)
-		}
-		if r >= 0x200B && r <= 0x200D {
-			return errors.New("nickname contains zero-width character")
-		}
-	}
-
-	trimmed := ""
-	for _, r := range nickname {
-		trimmed += string(r)
-	}
-	if trimmed != nickname {
-		return errors.New("nickname contains disallowed unicode")
-	}
-
-	return nil
-}
-
 func (sm *SessionManager) ensureNickname(session *Session) {
 	// Skip if session already has a nickname
 	if session.Nickname != "" {

ui/src/components/AccessDeniedOverlay.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState, useCallback, useRef } from "react";
+import { useEffect, useState, useCallback } from "react";
 import { useNavigate } from "react-router";
 import { XCircleIcon } from "@heroicons/react/24/outline";
 
@@ -30,7 +30,6 @@ export default function AccessDeniedOverlay({
   const { maxRejectionAttempts } = useSettingsStore();
   const [countdown, setCountdown] = useState(10);
   const [isRetrying, setIsRetrying] = useState(false);
-  const hasCountedRef = useRef(false);
 
   const handleLogout = useCallback(async () => {
     try {
@@ -51,15 +50,7 @@ export default function AccessDeniedOverlay({
   }, [navigate, setUser, clearSession, clearNickname]);
 
   useEffect(() => {
-    if (!show) {
+    if (!show) return;
-      hasCountedRef.current = false;
-      setCountdown(10);
-      return;
-    }
-
-    // Only count rejection once per showing
-    if (hasCountedRef.current) return;
-    hasCountedRef.current = true;
 
     const newCount = incrementRejectionCount();
 

ui/src/components/InfoBar.tsx

@@ -31,16 +31,9 @@ export default function InfoBar() {
 
   useEffect(() => {
     if (!rpcDataChannel) return;
-    rpcDataChannel.onclose = () => {
+    rpcDataChannel.onclose = () => console.log("rpcDataChannel has closed");
-      if (rpcDataChannel.readyState === "closed") {
+    rpcDataChannel.onerror = (e: Event) =>
-        console.debug("rpcDataChannel closed");
+      console.error(`Error on DataChannel '${rpcDataChannel.label}': ${e}`);
-      }
-    };
-    rpcDataChannel.onerror = (e: Event) => {
-      if (rpcDataChannel.readyState === "open" || rpcDataChannel.readyState === "connecting") {
-        console.error(`Error on DataChannel '${rpcDataChannel.label}':`, e);
-      }
-    };
   }, [rpcDataChannel]);
 
   const { keyboardLedState, usbState } = useHidStore();

ui/src/hooks/useVersion.tsx

@@ -29,10 +29,7 @@ export function useVersion() {
     return new Promise<SystemVersionInfo>((resolve, reject) => {
       send("getUpdateStatus", {}, (resp: JsonRpcResponse) => {
         if ("error" in resp) {
-          const errorMsg = typeof resp.error === 'object' && resp.error.message
+          notifications.error(`Failed to check for updates: ${resp.error}`);
-            ? resp.error.message
-            : String(resp.error);
-          notifications.error(`Failed to check for updates: ${errorMsg}`);
           reject(new Error("Failed to check for updates"));
         } else {
           const result = resp.result as SystemVersionInfo;
@@ -59,11 +56,8 @@ export function useVersion() {
             console.warn("Failed to get device version, using legacy version");
             return getVersionInfo().then(result => resolve(result.local)).catch(reject);
           }
-          console.error("Failed to get device version:", resp.error);
+          console.error("Failed to get device version N", resp.error);
-          const errorMsg = typeof resp.error === 'object' && resp.error.message
+          notifications.error(`Failed to get device version: ${resp.error}`);
-            ? resp.error.message
-            : String(resp.error);
-          notifications.error(`Failed to get device version: ${errorMsg}`);
           reject(new Error("Failed to get device version"));
         } else {
           const result = resp.result as VersionInfo;

ui/src/routes/devices.$id.tsx

@@ -965,11 +965,10 @@ export default function KvmIdRoute() {
   useEffect(() => {
     if (appVersion) return;
     if (rpcDataChannel?.readyState !== "open") return;
-    if (currentMode === "pending") return;
 
     getLocalVersion();
     // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [appVersion, rpcDataChannel?.readyState, currentMode]);
+  }, [appVersion, rpcDataChannel?.readyState]);
 
   const ConnectionStatusElement = useMemo(() => {
     const isOtherSession = location.pathname.includes("other-session");